Sunday, February 9, 2014

[emsisoft] CryptoLocker – a new ransomware variant

Over the past few days
Emsisoft’s malware research team has received numerous reports of a new
file encrypting ransomware strain. This new family of ransomware is
commonly referred to as CryptoLocker or Trojan:Win32/Crilock.A.

Ransom note as presented by CryptoLocker

Like all file encrypting ransomware (also known as crypto malware)
the goal of the attacker is to encrypt important files on the victim’s
system in order to compel them to pay a ransom in return for their
files.

Initial infection and establishing communication

Based on the data we have gathered so far, the infection is mainly
spread via social engineering techniques. Multiple victims received
emails with alleged customer complaints containing an attachment that is
in fact a malware downloader. This downloader then downloads and
installs the actual CryptoLocker malware. Once CryptoLocker has been
downloaded and executed by the downloader, it ensures its automatic
start during boot by using the following registry value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunCryptoLocker = %appdata%\{CLSID}.exe (note that the file name consists of random hexadecimal numbers).

Once the system is infected, CryptoLocker tries to establish a
connection with its command and control server. The malware has two
possible ways to contact its master: First by contacting the hardcoded
IP 184.164.136.134, which has since been taken down.

Partial domain generation algorithm

If that fails the malware will start generating seemingly random
domain names using a domain generation algorithm. This is done by
creating a seemingly random string of characters based on the current
system time and prepending it to one of the following seven possible top
level domains:

.com

.net

.biz

.ru

.org

.co.uk

.info

If you know the algorithm, you are able to predict which domain name
the malware is going to contact on any given day, thus allowing the
attacker to set up new domains in case old domains or the abovementioned
fixed IP is taken down. At the time this blog post was written, we
found the following randomly generated domain names to be active:

xeogrhxquuubt.com

qaaepodedahnslq.org

Once a suitable command and control server has been found, the
malware will start to communicate through regular HTTP POST requests.

Public key used by the malware for communication with its command and control server

HTTP merely acts as a wrapper though. All actual data exchanged
during the communication between the bot and its command and control
server is encrypted using RSA. The public key used for the encryption of
the communication is thereby embedded inside the malware file. Using
RSA based encryption for the communication not only allows the attacker
to obfuscate the actual conversation between the malware and its server,
but also makes sure the malware is talking to the attacker’s server and
not a blackhole controlled by malware researchers.

File encryption

Decoded initial request to obtain RSA public key used for encryption

Once the system has been successfully infected and a communication
channel to the command and control server has been established, the
malware will start the encryption process by requesting an encryption
key. A typical request includes the version of the malware, a numeric
id, the system’s network name, a group id as well as the language of the
system.

Decoded reply send by the server to a key request

The command and control server replies with the victim’s IP address,
as well as a unique RSA public key, that will be used by the malware
during the further encryption process.

As soon as the infection specific RSA key has been obtained, the
malware will look for files to encrypt. It does so by searching through
all connected drives, including mapped network shares, for files
matching one of the following patterns:

For each file matching one of these patterns, the malware will
generate a new 256 bit AES key. This key will then be used to encrypt
the content of the file using the AES algorithm. The AES key is then
encrypted using the unique RSA public key obtained earlier. Both the RSA
encrypted AES key, as well as the AES encrypted file content together
with some additional header information are then written back to the
file. Last but not least the malware will log the encryption of the
file within the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry
key. This key is later used by the malware to present the list of
encrypted files to the user and to speed up decryption.
Based on the file types list, it is also clear that business users
are specifically targeted. Crypto malware intended for home users will
target music, picture, and video files. This malware though primarily
targets file formats used by companies, completely ignoring common home
user file types.

Decryption

Unfortunately, once the encryption of the data is
complete, decryption is not feasible. To obtain the file specific AES
key to decrypt a file, you need the private RSA key corresponding to the
RSA public key generated for the victim’s system by the command and
control server. However, this key never leaves the command and control
server, putting it out of reach of everyone except the attacker. The
recommended solution is to restore encrypted files from a backup.
In order to clean the actual infection, run a full scan with Emsisoft Anti-Malware or the Emsisoft Emergency Kit and quarantine all detected objects.

Prevention

Especially when decryption of encrypted files is impossible,
prevention is of the utmost importance. An offline backup as well as
adequate protection are imperative.